Partial order reductions for model checking temporal
epistemic logics over interleaved multi-agent systems
∗
Alessio Lomuscio
Department of Computing
Imperial College London, UK
Wojciech Penczek
ICS PAS
and Univ. of Podlasie, Poland
ABSTRACT
We investigate partial order reduction for model checking multiagent systems by focusing on interleaved interpreted systems. These
are a particular class of interpreted systems, a mainstream MAS
formalism, in which only one action at the time is performed. We
present a notion of stuttering-equivalence, and prove the semantical equivalence of stuttering-equivalent traces with respect to linear
and branching time temporal logics for knowledge without the next
operator. We give algorithms to reduce the size of the models before the model checking step and show preservation properties. We
evaluate the technique by discussing the experimental results obtained against well-known examples in the MAS literature.
Categories and Subject Descriptors
D.2 [Software Engineering]: Software/Program Verification
General Terms
Verification
Keywords
Verification of MAS, Model Checking, Partial order reduction
1.
INTRODUCTION
Several approaches have been put forward for the verification of
MAS by means of model checking [3]. Some approaches are based
on reducing the verification problem to the one of plain temporal
logic and use existing tools for that task [1]. Others treat typical
MAS modalities such as knowledge, correctness, cooperation, as
first-class citizens and introduce novel algorithms for them, e.g.,
[31]. In an attempt to limit the state-space explosion problem (i.e.,
the difficulty that the state space of the system grows exponentially
with the number of variables in the agents) two main symbolic approaches have been proposed: ordered binary decision diagrams
[31, 27], and bounded model checking via propositional satisfiability [24]. Both have produced positive results showing the ability to
∗Partly supported by EPSRC project EP/02727X.
†Supported by the European Commission Framework Program 7
project CONNECT (IST Project Number 231167).
Cite as: Partial order reductions for model checking temporal-epistemic
logics over interleaved multi-agent systems, A. Lomuscio, W. Penczek and
H. Qu, Proc. of 9th Int. Conf. on Autonomous Agents and Multiagent
Systems (AAMAS 2010), van der Hoek, Kaminka, Lespérance, Luck and
Sen (eds.), May, 10–14, 2010, Toronto, Canada, pp. XXX-XXX.
c 2010, International Foundation for Autonomous Agents and
Copyright ⃝
Multiagent Systems (www.ifaamas.org). All rights reserved.
†
Hongyang Qu
Oxford University Computing
Laboratory, UK
tackle state spaces of 1030 and above. However, in the standard literature of model checking reactive systems other, sometimes more
efficient, approaches exists.
In particular, partial order reduction [23] is one of the most
widely known techniques in verification of reactive systems. Still,
the only approach to partial order reduction in a MAS context [17]
presents theoretical results only, with no algorithm nor an implementation being discussed; as such it is difficult to assess how effective it is in concrete cases. Given their autonomous nature, MAS
differ from standard reactive systems by displaying more “loosely
coupled” behaviours. This makes the state-explosion problem even
more challenging for MAS than it is already for reactive systems.
It seems therefore of importance to conduct a systematic and comparative study of all possible techniques available to determine the
most appropriate treatment to the verification problem.
In this paper we aim to make concrete progress in this area by
introducing partial order reduction on a particular class of interpreted systems that we call interleaved interpreted systems (IIS).
IIS are a special class of interpreted systems [5] in which only one
action at a time is performed in a global transition. Several agents
may be participating in the global action but, if so, they perform
the same action, thereby synchronising at that particular time step.
Many asynchronous reactive systems have been studied on similar
semantics (see, e.g., [20, 7]). Several settings in MAS, where the
moves are carried out following turns (e.g., games), or where joint
actions are not considered (e.g., non-interacting robots), can also
be easily modelled in this way.
In a nutshell, given a model 𝑀𝑆 (representing a system 𝑆) and a
formula 𝜙𝑃 (representing a specification property 𝑃 to be checked)
in the temporal logic LTL−𝑋 (the linear temporal logic LTL without the neXt operator 𝑋), model checking via partial order reduction suggests to compute 𝑀𝑆 ∣= 𝜙𝑃 by replacing 𝑀𝑆 with
a smaller model 𝑀𝑆′ built on traces that are semantically equivalent (with respect to 𝜙𝑃 ) to the ones of 𝑀𝑆 . Of key importance in
this line of work is not only to determine a notion of equivalence
but also to present algorithms that can transform (in polynomial
time) 𝑀𝑆 into a suitable 𝑀𝑆′ . Ideally the generation is conducted
on the fly and 𝑀𝑆 is actually never built explicitly. The literature
of reactive systems has shown that in several scenarios this reduction can be very effective and brings results comparable or superior
to the ones of other techniques including ordered-binary decision
diagrams.
In this paper we draw inspiration from the above to conduct a
similar exercise in the context of MAS logics. We begin in Section 2 by presenting IIS and the logic CTL*K−𝑋 , and, in particular, LTLK−𝑋 and CTLK−𝑋 . These temporal epistemic logics with
knowledge are very commonly used in a MAS settings but appear
here without the “next” operator because of standard inherent lim-
itations in the technique we present. In Section 3 we proceed to
present a notion of stuttering-equivalence with respect to IIS. We
move on to describe novel partial order algorithms that preserve
LTLK−𝑋 and CTL*K−𝑋 properties in Section 4. In Section 5 we
present an implementation of the technique and report key experimental results. We conclude the paper in Section 6.
2.
PRELIMINARIES
We introduce here the basic technical background to the present
paper. In particular we introduce the semantics of interpreted systems, properly augmented with suitable concepts for our needs, and
the basic syntax we shall be using in the rest of the paper.
2.1
Interleaved Interpreted Systems
The semantics of interpreted systems provides a setting to reason
about MAS by means of specifications based on knowledge and linear time. We report here the basic setting as popularised in [5]. Actions in interpreted systems are typically considered to be executed
at the same round by all participants: this permits the modelling of
synchronous systems in a natural way. While interpreted systems
are typically considered in their synchronous variant here we look
at the asynchronous case by assuming that only one local action
may be performed at a given time in a global state. Further, we
assume that if more than one agent is active at a given round, all
active agents perform the same (shared) action in the round. Differently from standard interpreted systems where, in principle, the
agents’ resulting local states depend on the actions performed by
all the agents in the system, here we assume the local states are
only influenced by the same agent’s action at the previous round.
Note that it is still possible for agents to communicate by means of
shared action.
We begin by assuming a MAS to be composed of 𝑛 agents 𝒜 =
{1, . . . , 𝑛}1 . We associate a set of possible local states 𝐿𝑖 =
𝑖
} to
{𝑙𝑖1 , 𝑙𝑖2 , . . . , 𝑙𝑖𝑛𝑙𝑖 } and actions 𝐴𝑐𝑡𝑖 = {𝜖𝑖 , 𝑎1𝑖 , 𝑎2𝑖 , . . . , 𝑎𝑛𝑎
𝑖
each agent 𝑖 ∈ 𝒜. We call the special action 𝜖𝑖 the “null”, or
“silent” action of agent 𝑖; as it will be clear below the local state
of agent 𝑖 remains the same if the null action is performed. Also
note we do not assume
∪ that the sets of actions of agents to be disjoint. We call 𝐴𝑐𝑡 = 𝑖∈𝒜 𝐴𝑐𝑡𝑖 the union of all the sets 𝐴𝑐𝑡𝑖 . For
each action 𝑎 by 𝐴𝑔𝑒𝑛𝑡(𝑎) ⊆ 𝒜 we mean all the agents 𝑖 such that
𝑎 ∈ 𝐴𝑐𝑡𝑖 , i.e., the set of agents potentially able to perform 𝑎.
Following closely the interpreted system model, we consider a
local protocol modelling the program the agent is executing. Formally, for any agent 𝑖, the actions of the agents are selected according to a local protocol 𝑃𝑖 : 𝐿𝑖 → 2𝐴𝑐𝑡𝑖 ; we assume that
𝜖 ∈ 𝑃𝑖 (𝑙𝑖𝑚 ), for any 𝑙𝑖𝑚 ; in other words we insist on the null action to be enabled at every local state. For each agent 𝑖, we define an evolution (partial) function 𝑡𝑖 : 𝐿𝑖 × 𝐴𝑐𝑡𝑖 → 𝐿𝑖 , where
𝑡𝑖 (𝑙𝑖 , 𝜖𝑖 ) = 𝑙𝑖 for each 𝑙𝑖 ∈ 𝐿𝑖 . Note the local transition function
considered here differs from the standard treatment in interpreted
systems by depending only on the local action in question.
A global state 𝑔 = (𝑙1 , . . . , 𝑙𝑛 ) is a tuple of local states for all the
agents in the MAS corresponding to an instantaneous snapshot of
the system at a given time. Given a global state 𝑔 = (𝑙1 , . . . , 𝑙𝑛 ),
we denote by 𝑔 𝑖 = 𝑙𝑖 the local component of agent 𝑖 ∈ 𝒜 in 𝑔.
Given the notions above we can now define formally the global
transitions we consider in this paper.
D EFINITION 2.1 (I NTERLEAVED SEMANTICS ). Let 𝐺 be a set
of global states. The global interleaved evolution function 𝑡 : 𝐺 ×
𝐴𝑐𝑡1 ×⋅ ⋅ ⋅×𝐴𝑐𝑡𝑛 → 𝐺 is defined as follows: 𝑡(𝑔, 𝑎𝑐𝑡1 , . . . , 𝑎𝑐𝑡𝑛 ) =
𝑔 ′ iff there exists an action 𝑎 ∈ 𝐴𝑐𝑡 such that for all 𝑖 ∈ 𝐴𝑔𝑒𝑛𝑡(𝑎),
𝑎𝑐𝑡𝑖 = 𝑎 and 𝑡𝑖 (𝑔 𝑖 , 𝑎) = 𝑔 ′𝑖 , and for all 𝑖 ∈ 𝒜 ∖ 𝐴𝑔𝑒𝑛𝑡(𝑎),
𝑎
𝑎𝑐𝑡𝑖 = 𝜖𝑖 and 𝑡𝑖 (𝑔 𝑖 , 𝑎𝑐𝑡𝑖 ) = 𝑔 ′𝑖 . We denote the above as 𝑔 −→ 𝑔 ′ .
Similar to blocking synchronisation in automata, the above insists
on all agents performing the same action in a global transition; additionally note that if an agent has the action being performed in
its repertoire it must be performed for the global transition to be
allowed. This assumes local protocols are defined in such a way to
permit this; if a local protocol does not allow this, the local action
cannot be performed and therefore the global transition does not
comply with the definition of interleaving above. As we formally
clarify below we only consider interleaved transitions here.
We assume that the global transition relation is total, i.e., that
𝑎
for any 𝑔 ∈ 𝐺 there exists an 𝑎 ∈ 𝐴𝑐𝑡 such that 𝑔 −→ 𝑔 ′ ,
′
for some 𝑔 ∈ 𝐺. A sequence of global states and actions 𝜋 =
𝑔0 𝑎0 𝑔1 𝑎1 𝑔2 . . . is called an interleaved path, or an interleaved run
(or more simply a path or a run) originating at 𝑔0 if there is a se𝑎𝑖
quence of interleaved transitions from 𝑔0 onwards, i.e., if 𝑔𝑖 −→
𝑔𝑖+1 for every 𝑖 ≥ 0. The set of interleaved paths originating from
𝑔 is denoted as Π(𝑔). A state 𝑔 is said to be reachable from 𝑔0 if
there is an interleaved path 𝜋 = 𝑔0 𝑎0 𝑔1 𝑎1 𝑔2 . . . such that 𝑔 = 𝑔𝑖
for some 𝑖 ≥ 0.
D EFINITION 2.2 (I NTERLEAVED I NTERPRETED S YSTEMS ).
Given a set of propositions 𝑃 𝑉 , an interleaved interpreted system
(IIS), also referred to as a model, is a 4-tuple 𝑀 = (𝐺, 𝜄, Π, 𝑉 ),
where 𝐺 is a set of global states, 𝜄 ∈ 𝐺 is an initial∪(global) state
Π(𝑔) is the
such that each state in 𝐺 is reachable from 𝜄, Π =
𝑔∈𝐺
set of all the interleaved paths originating from all states in 𝐺, and
𝑉 : 𝐺 → 2𝑃 𝑉 is a valuation function.
Figure 1 presents an interleaved interpreted system (the untimed
version of the original Train-Gate-Controller (TGC) [26]) composed of three agents: a controller and two trains. Each train runs
on a circular track and both tracks pass through a narrow tunnel
(state ’T’), allowing one train only to go through it to state Away
(’A’) at any time. The controller operates the signal (Green (’G’)
and Red (’R’)) to let trains enter and leave the tunnel. In the figure, the initial states of the controller and the train are ’G’ and ’W’
(Waiting) respectively, and the transitions with the same label are
synchronised. Silent 𝜖 actions are omitted in the figure.
W
a1
a3
T
a2
A
Train1
W
G
a2
a1
b1
b1
b2
b3
R
Controller
T
b2
A
Train2
Figure 1: An IIS of TGC composed of two trains
In order to define partial order reductions we need the following
relations.
D EFINITION 2.3. Let 𝑖 ∈ 𝒜, 𝑔, 𝑔 ′ ∈ 𝐺, and 𝐽 ⊆ 𝒜.
∩
∙ ∼𝑖 = {(𝑔, 𝑔 ′ ) ∈ 𝐺 × 𝐺 ∣ 𝑔 𝑖 = 𝑔 ′𝑖 }, ∼𝐽 = 𝑗∈𝐽 ∼𝑗 .
∙ 𝐼 = {(𝑎, 𝑏) ∈ 𝐴𝑐𝑡 × 𝐴𝑐𝑡 ∣ 𝐴𝑔𝑒𝑛𝑡(𝑎) ∩ 𝐴𝑔𝑒𝑛𝑡(𝑏) = ∅}.
1
Note in the present study we do not consider the environment
component. This may be added with no technical difficulty at the
price of heavier notation.
The first relation (∼𝑖 ) is the indistinguishably relation for the epistemic modality (see below), the second (∼𝐽 ) corresponds to the
indistinguishably relation for the epistemic modality of distributed
knowledge in group 𝐽, whereas the third (𝐼) is referred to as the independency relation in partial order approaches. Notice that ∼∅ =
𝐺 × 𝐺 while ∼𝒜 = 𝑖𝑑𝐺 . We say that two actions 𝑎, 𝑎′ are dependent if (𝑎, 𝑎′ ) ∕∈ 𝐼. For each of the relations 𝑅 given in Def. 2.3 by
𝑥 𝑅 𝑦 we mean that (𝑥, 𝑦) ∈ 𝑅.
D EFINITION 2.4 (R EDUCED M ODEL ). Consider two models
𝑀 = (𝐺, 𝜄, Π, 𝑉 ), 𝑀 ′ = (𝐺′ , 𝜄′ , Π′ , 𝑉 ′ ). If 𝐺′ ⊆ 𝐺, 𝜄′ = 𝜄
and 𝑉 ′ = 𝑉 ∣𝐺′ , then we write 𝑀 ′ ⊆ 𝑀 and say that 𝑀 ′ is a
submodel of 𝑀 , or that 𝑀 ′ is a reduced model of 𝑀 .
2.3
Let 𝑀 = (𝐺, 𝜄, Π, 𝑉 ) be a model and let 𝜋 = 𝑔0 𝑎0 𝑔1 ⋅ ⋅ ⋅ be an
infinite path of 𝐺. Let 𝜋𝑖 denote the suffix 𝑔𝑖 𝑎𝑖 𝑔𝑖+1 ⋅ ⋅ ⋅ of 𝜋 and
𝜋(𝑖) denote the state 𝑔𝑖 . Satisfaction of a formula 𝜑 in a state 𝑔 of
𝑀 , written (𝑀, 𝑔) ∣= 𝜑, or just 𝑔 ∣= 𝜑, is defined inductively as
follows:
S1. 𝑔 ∣= 𝑞 iff 𝑞 ∈ 𝑉 (𝑔), for 𝑞 ∈ 𝑃 𝑉 ,
S2. 𝑔 ∣= ¬𝜑 iff not 𝑔 ∣= 𝜑,
𝑔 ∣= 𝜑 ∧ 𝜓 iff 𝑔 ∣= 𝜑 and 𝑔 ∣= 𝜓,
𝑔 ∣= 𝐾𝑖 𝜑 iff 𝑔 ′ ∣= 𝜑 for every 𝑔 ′ ∈ 𝐺 such that 𝑔 ∼𝑖 𝑔 ′ ,
We now define the syntax and semantics of our language.
2.2
Syntax of CTL*K−𝑋
S3. 𝑔 ∣= 𝐴𝜑 iff 𝜋 ∣= 𝜑 for every path 𝜋 starting at 𝑔,
Combinations of linear/branching time and knowledge have long
been used in the analysis of temporal epistemic properties of systems [5, 9]. We recall the basic definitions here and adapt them to
our purposes when needed. Let 𝑃 𝑉 be a finite set of propositions.
For generality, we first give a syntax of CTL*K−𝑋 and then restrict
it to LTLK−𝑋 and other sublanguages. The state and path formulas
of CTL*K−𝑋 are defined inductively as follows:
S1. every member of PV is a state formula,
S2. if 𝜑 and 𝜓 are state formulas, then so are ¬𝜑, 𝜑 ∧ 𝜓, and
𝐾𝑖 𝜑 (𝑖 ∈ 𝒜),
S3. if 𝜑 is a path formula, then 𝐴𝜑 and 𝐸𝜑 are state formulas,
P1. any state formula 𝜑 is also a path formula,
P2. if 𝜑, 𝜓 are path formulas, then so are 𝜑 ∧ 𝜓 and ¬𝜑,
P3. if 𝜑, 𝜓 are path formulas, then so is 𝑈 (𝜑, 𝜓).
The path quantifier 𝐴 has the intuitive meaning “for all paths”
whereas 𝐸 stands for “there is a path”. The operator 𝑈 denotes
the standard “until” modality. 𝐾𝑖 denotes knowledge of agent 𝑖:
𝐾𝑖 𝜙 is read as “agent i knows that 𝜙”. CTL*K−𝑋 consists of the
set of all state formulae. The following abbreviations will be used:
def
Semantics of CTL*K−𝑋
def
𝑡𝑟𝑢𝑒 = ¬(𝑝 ∧ ¬𝑝), for some 𝑝 ∈ 𝑃 𝑉 , 𝐹 𝜑 = 𝑈 (𝑡𝑟𝑢𝑒, 𝜑),
def
𝐺𝜑 = ¬𝐹 ¬𝜑. As standard, 𝐹 represents the temporal operator
of “eventually” (in the future) and 𝐺 corresponds to “forever” (in
the future). Given their intuitive interpretation, sometimes we call
𝐴, 𝐸 state modalities, and 𝐾𝑖 , 𝑈, 𝐺, 𝐹 path modalities. We now
define a variety of logics included in CTL*K−𝑋 .
D EFINITION 2.5.
∙ LTLK−𝑋 ⊂ CTL*K−𝑋 is the fragment of CTL*K−𝑋 in which
all modal formulas are of the form 𝐴𝜑, where 𝜑 does not
contain the state modalities Aand E. We write 𝜑 instead of
𝐴𝜑 if confusion is unlikely.
∙ ACTL*K−𝑋 ⊂ CTL*K−𝑋 is the fragment of CTL*K−𝑋 in
which the state modality 𝐸 does not appear in any formula
and the negation only appears in subformulas not containing
any state or path modalities.
∙ CTLK−𝑋 ⊂ CTL*K−𝑋 is the fragment of CTL*K−𝑋 in which
the state modalities A, E, and the path modalities U, F and G
may only appear paired in the combinations 𝐴𝑈 , 𝐸𝑈 , 𝐴𝐹 ,
𝐸𝐹 , 𝐴𝐺, and 𝐸𝐺.
∙ For any logic L and 𝐽 ⊆ 𝒜, we write L𝐽 for the restriction
of the logic L such that for each subformula 𝐾𝑖 𝜑 we have
𝑖 ∈ 𝐽.
Observe the logics CTLK and LTLK without next operators are
subsets of the logics above.
𝑔 ∣= 𝐸𝜑 iff 𝜋 ∣= 𝜑 for some path 𝜋 starting at 𝑔,
P1. 𝜋 ∣= 𝜑 iff 𝑔0 ∣= 𝜑 for any state formula 𝜑,
P2. 𝜋 ∣= ¬𝜑 iff not 𝜋 ∣= 𝜑; 𝜋 ∣= 𝜑 ∧ 𝜓 iff 𝜋 ∣= 𝜑 and 𝜋 ∣= 𝜓,
P3. 𝜋 ∣= 𝑈 (𝜑, 𝜓) iff there is an 𝑖 ≥ 0 such that 𝜋𝑖 ∣= 𝜓 and
𝜋𝑗 ∣= 𝜑 for all 0 ≤ 𝑗 < 𝑖.
3.
EQUIVALENCES
We now proceed to give a notion of behavioural equivalence and
to show this is preserved under the particular algorithm we introduce in the next section. To begin with we define a notion of action
invisibility.
D EFINITION 3.1. An action 𝑎 ∈ 𝐴𝑐𝑡 is invisible in a model
𝑎
(𝐺, 𝜄, Π, 𝑉 ) if whenever 𝑔 −→ 𝑔 ′ for any two states 𝑔, 𝑔 ′ ∈ 𝐺 we
′
have that 𝑉 (𝑔) = 𝑉 (𝑔 ).
An action 𝑎 ∈ 𝐴𝑐𝑡 is J-invisible in a model (𝐺, 𝜄, Π, 𝑉 ) if
𝑎
whenever 𝑔 −→ 𝑔 ′ for any two states 𝑔, 𝑔 ′ ∈ 𝐺 we have that
′
𝑉 (𝑔) = 𝑉 (𝑔 ) and 𝑔 ∼𝐽 𝑔 ′ .
In other words, an action is invisible if its execution does not change
the global valuation. An action is J-invisible if it is invisible and all
local states in 𝐽 are not changed by its execution (recall that all local states in 𝒜∖𝐴𝑔𝑒𝑛𝑡(𝑎) are not changed in the transition labelled
with 𝑎 either).
We denote the set of invisible (respectively, J-invisible) actions
by 𝐼𝑛𝑣𝑖𝑠 (𝐼𝑛𝑣𝑖𝑠𝐽 , respectively), and we write 𝑉 𝑖𝑠 = 𝐴𝑐𝑡 ∖ 𝐼𝑛𝑣𝑖𝑠
(respectively, 𝑉 𝑖𝑠𝐽 = 𝐴𝑐𝑡 ∖ 𝐼𝑛𝑣𝑖𝑠𝐽 ) for the set of visible actions
((J-)visible actions, respectively).
D EFINITION 3.2. Let 𝜋 = 𝑔0 𝑎0 𝑔1 𝑎1 ⋅ ⋅ ⋅ be a (finite or infinite)
path in a model 𝑀 and 𝐽 ⊆ 𝒜. We define the J-stuttering-free
projection 𝑃 𝑟𝐽 (𝜋) of a path 𝜋 inductively as follows:
∙ 𝑃 𝑟𝐽 (𝑔0 ) = 𝑔0 ;
∙ 𝑃 𝑟𝐽 (𝑔0 ⋅ ⋅ ⋅ 𝑔𝑖 ) = 𝑃 𝑟𝐽 (𝑔1 ⋅ ⋅ ⋅ 𝑔𝑖 ) if 𝑉 (𝑔0 ) = 𝑉 (𝑔1 ) and
𝑔0 ∼𝐽 𝑔1 ; 𝑃 𝑟𝐽 (𝑔0 . . . 𝑔𝑖 ) = 𝑔0 𝑃 𝑟𝐽 (𝑔1 . . . 𝑔𝑖 ) otherwise.
3.1
Equivalence preserving LTLK𝐽−𝑋
Let 𝑀 = (𝐺, 𝜄, Π, 𝑉 ) and 𝑀 ′ = (𝐺′ , 𝜄′ , Π′ , 𝑉 ′ ) be two models
such that 𝑀 ′ ⊆ 𝑀 . In the following, we begin with the definition
of J-stuttering among states. Then, we define stuttering equivalence of two paths 𝜋, 𝜋 ′ ∈ Π and extend it to J-stuttering equivalence. Finally, we present the notion of J-stuttering trace equivalence over states.
D EFINITION 3.3 (J- STUTTERING OF S TATES ). Two states
𝑔 ∈ 𝐺 and 𝑔 ′ ∈ 𝐺′ are J-stuttering, denoted with 𝐽𝐾𝑆(𝑔, 𝑔 ′ ), if
𝑉 (𝑔) = 𝑉 ′ (𝑔 ′ ) and 𝑔 ∼𝐽 𝑔 ′ .
D EFINITION 3.4 (S TUTTERING E QUIVALENCE ). A path 𝜋 in
𝑀 and a path 𝜋 ′ in 𝑀 ′ are called stuttering equivalent, denoted
𝜋 ≡𝑠 𝜋 ′ , if there exists a partition 𝐵1 , 𝐵2 . . . of the states of 𝜋,
and a partition 𝐵 ′ 1 , 𝐵 ′ 2 . . . of the states of 𝜋 ′ such that for each
𝑗 ≥ 0 we have that 𝐵𝑗 and 𝐵 ′ 𝑗 are nonempty and finite, and for every state 𝑔 in 𝐵𝑗 and every state 𝑔 ′ in 𝐵 ′ 𝑗 we have 𝑉 (𝑔) = 𝑉 ′ (𝑔 ′ ).
D EFINITION 3.5 (J- STUTTERING E QUIVALENCE ). Two paths
𝜋 in 𝑀 and 𝜋 ′ in 𝑀 ′ are called J-stuttering equivalent, denoted
𝜋 ≡𝐽𝑘𝑠 𝜋 ′ , if 𝜋 ≡𝑠 𝜋 ′ and for each 𝑗 ≥ 0 and for every state 𝑔 in
𝐵𝑗 and every state 𝑔 ′ in 𝐵 ′ 𝑗 we have 𝑔 ∼𝐽 𝑔 ′ ,
D EFINITION 3.6 (J- STUTTERING T RACE E QUIVALENCE ).
Two states 𝑔 in 𝑀 and 𝑔 ′ in 𝑀 ′ are said to be J-stuttering trace
equivalent, denoted 𝑔 ≡𝐽𝑘𝑠 𝑔 ′ , if
1. for each infinite path 𝜋 in 𝑀 starting at 𝑔, there is an infinite
path 𝜋 ′ in 𝑀 ′ starting at 𝑔 ′ such that 𝜋 ≡𝐽𝑘𝑠 𝜋 ′ ;
2. for each infinite path 𝜋 ′ in 𝑀 ′ starting at 𝑔 ′ , there is an
infinite path 𝜋 in 𝑀 starting at 𝑔 such that 𝜋 ′ ≡𝐽𝑘𝑠 𝜋.
Two models 𝑀 and 𝑀 ′ are J-stuttering trace equivalent denoted
𝑀 ≡𝐽𝑘𝑠 𝑀 ′ , if 𝜄 ≡𝐽𝑘𝑠 𝜄′ .
The following theorem connects LTLK𝐽−𝑋 with J-stuttering trace
equivalence:
T HEOREM 3.7. Let 𝑀 and 𝑀 ′ be two J-stuttering trace equivalent models, where 𝑀 ′ ⊆ 𝑀 . Then, 𝑀, 𝜄 ∣= 𝜑 iff 𝑀 ′ , 𝜄′ ∣= 𝜑,
for any LTLK𝐽−𝑋 formula 𝜑 over 𝑃 𝑉 .
P ROOF. Part 1: First we prove that for each path 𝜋 = 𝑔0 𝑎0 𝑔1 𝑎1 . . .
of 𝑀 if 𝑎𝑖 is J-invisible, then 𝑀, 𝜋𝑖 ∣= 𝜑 iff 𝑀, 𝜋𝑖+1 ∣= 𝜑 for each
LTLK𝐽−𝑋 formula 𝜑.
By induction on the structure of 𝜑. For 𝜑 ∈ 𝑃 𝑉 the thesis follows directly from the definition of J-invisibility. The case of ∧ and
¬ is straightforward. For 𝜑 = 𝑈 (𝜙, 𝜓) the thesis follows directly
from the semantics of 𝑈 and the inductive assumption. Consider
𝜑 = 𝐾𝑖 𝜓. If 𝑀, 𝜋𝑖 ∣= 𝜑, then it follows from 𝜋(𝑖) ∼𝐽 𝜋(𝑖 + 1)
that 𝑀, 𝜋𝑖+1 ∣= 𝜓 and since ∼𝑖 is an equivalence relation we have
𝑀, 𝜋𝑖+1 ∣= 𝐾𝑖 𝜓. A similar proof holds for 𝑀, 𝜋𝑖+1 ∣= 𝜑 implies
𝑀, 𝜋𝑖 ∣= 𝜑.
Part 2: Now, we prove the theorem itself, also by induction on the
complexity of 𝜑. In fact, we prove a stronger result, i.e., that from
𝑔 ≡𝐽𝑘𝑠 𝑔 ′ , it follows that 𝑀, 𝑔 ∣= 𝜑 iff 𝑀 ′ , 𝑔 ′ ∣= 𝜑, for any
LTLK𝐽−𝑋 formula 𝜑 over 𝑃 𝑉 .
(⇒): For 𝜑 ∈ 𝑃 𝑉 the thesis follows directly from the definition of ∼𝐽𝑘𝑠 . The cases of ∧ and ¬ are straightforward. Consider
𝜑 = 𝑈 (𝜙, 𝜓) and a path 𝜋 starting at 𝑔. We have 𝜋 ∣= 𝑈 (𝜙, 𝜓).
Then, there is a path 𝜋 ′ starting at 𝑔 ′ such that 𝜋 ≡𝐽𝑘𝑠 𝜋 ′ . By the
inductive assumption we have that 𝜋 ∣= 𝜙 iff 𝜋 ′ ∣= 𝜙 and 𝜋 ∣= 𝜓
iff 𝜋 ′ ∣= 𝜓. Since 𝜋 ≡𝐽𝑘𝑠 𝜋 ′ we have that 𝑃 𝑟𝐽 (𝜋)𝑖 ∣= 𝜙 iff
𝑃 𝑟𝐽 (𝜋 ′ )𝑖 ∣= 𝜙 and 𝑃 𝑟𝐽 (𝜋)𝑖 ∣= 𝜓 iff 𝑃 𝑟𝐽 (𝜋 ′ )𝑖 ∣= 𝜓 for all 𝑖 ≥ 0.
Thus, it follows from Part 1) that 𝜋 ′ ∣= 𝜑. So, clearly we have that
if 𝑀, 𝑔 ∣= 𝑈 (𝜙, 𝜓), then 𝑀, 𝑔 ′ ∣= 𝑈 (𝜙, 𝜓).
Consider 𝜑 = 𝐾𝑖 𝜓 and let 𝑀, 𝑔 ∣= 𝜑. Let 𝐺𝜓 = {𝑔1 ∈ 𝐺 ∣
𝑔 ∼𝑖 𝑔1 }. Consider 𝑔1′ s.t. 𝑔 ′ ∼𝑖 𝑔1′ . We have to show that
𝑀 ′ , 𝑔1′ ∣= 𝜓. Since 𝑔 ≡𝐽𝑘𝑠 𝑔 ′ , by transitivity of ∼𝑖 we have that
𝑔1′ ∈ 𝐺𝜓 . So, clearly 𝑀, 𝑔1′ ∣= 𝜓. As 𝑔1′ ≡𝐽𝑘𝑠 𝑔1′ , it follows from
the inductive assumption that 𝑀 ′ , 𝑔1′ ∣= 𝜓. So, we get 𝑀 ′ , 𝑔 ′ ∣= 𝜑.
(⇐) We consider only the case of 𝜑 = 𝐾𝑖 𝜓. The proof for other
cases is similar to (⇒).
Let 𝜑 = 𝐾𝑖 𝜓 and let 𝑀 ′ , 𝑔 ′ ∣= 𝜑. Let 𝐺′𝜓 = {𝑔1′ ∈ 𝐺′ ∣
𝑔 ′ ∼𝑖 𝑔1′ }. Consider 𝑔1 s.t. 𝑔 ∼𝑖 𝑔1 . We have to show that
𝑀, 𝑔1 ∣= 𝜓. Consider a path in 𝑀 starting at 𝜄 which contains
𝑔1 . Since 𝑀 ≡𝐽𝑘𝑠 𝑀 ′ , there is a path in 𝑀 ′ starting at 𝜄′ , which
contains a state 𝑔2′ ∈ 𝐺′ such that 𝑔1 ≡𝐽𝑘𝑠 𝑔2′ . So, 𝑔2′ ∈ 𝐺′𝜓 by
transitivity of ∼𝑖 . Thus, clearly 𝑀 ′ , 𝑔2′ ∣= 𝜓. As 𝑔1 ≡𝐽𝑘𝑠 𝑔2′ ,
it follows from the inductive assumption that 𝑀, 𝑔1 ∣= 𝜓. So,
𝑀, 𝑔 ∣= 𝜑.
3.2
Equivalences preserving ACTL*K𝐽−𝑋 and
CTL*K𝐽−𝑋
As before let 𝑀 = (𝐺, 𝜄, Π, 𝑉 ) and 𝑀 ′ = (𝐺′ , 𝜄′ , Π′ , 𝑉 ′ ) be
two models such that 𝑀 ′ ⊆ 𝑀 . In the following, we begin with
the definition of J-stuttering (bi)-simulation between 𝑀 and 𝑀 ′ .
Then, we define visible J-(bi)-simulation between two models.
D EFINITION 3.8 (J- STUTTERING SIMULATION ). A relation
∼𝑗𝑠𝑠 ⊆ 𝐺′ × 𝐺 is a J-stuttering simulation between two models 𝑀
and 𝑀 ′ if the following conditions hold:
1. 𝜄′ ∼𝑗𝑠𝑠 𝜄,
2. if 𝑔 ′ ∼𝑗𝑠𝑠 𝑔, then 𝐽𝐾𝑆(𝑔, 𝑔 ′ ) and for every path 𝜋 of 𝑀 ,
there is a path 𝜋 ′ in 𝑀 ′ , a partition 𝐵1 , 𝐵2 . . . of 𝜋, and a
partition 𝐵 ′ 1 , 𝐵 ′ 2 . . . of 𝜋 ′ such that for each 𝑗 ≥ 0, 𝐵𝑗 and
𝐵 ′ 𝑗 are nonempty and finite, and every state in 𝐵𝑗′ is related
by ∼𝑗𝑠𝑠 to every state in 𝐵𝑗 .
A relation ∼𝑗𝑠𝑠 is a J-stuttering bisimulation if both ∼𝑗𝑠𝑠 and ∼𝑇𝑗𝑠𝑠
(𝑇 denotes transposition) are J-stuttering simulations.
Model 𝑀 ′ J-stuttering simulates model 𝑀 (𝑀 ≤𝑗𝑠𝑠 𝑀 ′ ) if there
is a J-knowledge stuttering simulation between 𝑀 and 𝑀 ′ . Two
models 𝑀 and 𝑀 ′ are called J-stuttering simulation equivalent if
𝑀 ≤𝑗𝑠𝑠 𝑀 ′ and 𝑀 ′ ≤𝑗𝑠𝑠 𝑀 . Two models 𝑀 and 𝑀 ′ are called
J-visible bisimulation equivalent if there is a J-visible bisimulation
between 𝑀 and 𝑀 ′ .
The following theorem connects ACTL*K𝐽−𝑋 with J-stuttering simulation equivalence:
T HEOREM 3.9. Let 𝑀 and 𝑀 ′ be two J-stuttering simulation
equivalent models. Then, 𝑀, 𝜄 ∣= 𝜑 iff 𝑀 ′ , 𝜄′ ∣= 𝜑, for any
ACTL*K𝐽−𝑋 formula 𝜑 over 𝑃 𝑉 .
P ROOF. J-stuttering simulation equivalence is clearly stronger
than stuttering simulation equivalence, which preserves ACTL∗−𝑋
[25]. Similarly to the proof of Theorem 3.7 one can show that
ACTL*K𝐽−𝑋 is preserved by J-stuttering simulation equivalence.
T HEOREM 3.10. Let 𝑀 and 𝑀 ′ be two J-stuttering bisimilar
models. Then, 𝑀, 𝜄 ∣= 𝜑 iff 𝑀 ′ , 𝜄′ ∣= 𝜑, for any CTL*K𝐽−𝑋 formula 𝜑 over 𝑃 𝑉 .
P ROOF. J-stuttering bisimulation is clearly stronger than stuttering bisimulation, which preserves CTL∗−𝑋 [7]. Similarly to the
proof of Theorem 3.7 one can show that CTL*K𝐽−𝑋 is preserved
by J-stuttering bisimulation.
Next, we define two relations such that one is stronger than Jstuttering simulation, while the other one is stronger than J-stuttering
bi-simulation. Both of them will be used for our partial order reductions.
D EFINITION 3.11 (J-V ISIBLE S IMULATION ). A relation
∼𝑗𝑘𝑣𝑠 ⊆ 𝐺′ × 𝐺 is a J-visible simulation between the states of two
models 𝑀 and 𝑀 ′ if
∙ 𝜄′ ∼𝑗𝑘𝑣𝑠 𝜄, and
∙ if 𝑔 ′ ∼𝑗𝑘𝑣𝑠 𝑔, then the following conditions hold:
1. 𝐽𝐾𝑆(𝑔, 𝑔 ′ ).
𝑏
2. If 𝑔 −→ 𝑡, then either 𝑏 is J-invisible and 𝑔 ′ ∼𝑗𝑘𝑣𝑠 𝑡,
𝑎𝑛−1
𝑎1
𝑎0
⋅ ⋅ ⋅ −→
𝑔1 −→
or there exists a path 𝑔 ′ = 𝑔0 −→
𝑏
𝑔𝑛 −→ 𝑡′ in 𝑀 ′ such that 𝑔𝑖 ∼𝑗𝑘𝑣𝑠 𝑔 for 𝑖 ≤ 𝑛, 𝑎𝑖 is
J-invisible for 𝑖 < 𝑛 and 𝑡′ ∼𝑗𝑘𝑣𝑠 𝑡.
𝑏
𝑏
0
1
3. If there is an infinite path 𝑔 = 𝑡0 −→
𝑡1 −→
⋅⋅⋅,
′
where 𝑏𝑖 is J-invisible and 𝑔 ∼𝑗𝑘𝑣𝑠 𝑡𝑖 for 𝑖 ≥ 0, then
𝑐
there exists an edge 𝑔 ′ −→ 𝑔 ′′ such that 𝑐 is J-invisible
′′
and 𝑔 ∼𝑗𝑘𝑣𝑠 𝑡𝑗 for some 𝑗 > 0.
A relation ∼𝑗𝑘𝑣𝑠 is a J-visible bisimulation if both ∼𝑗𝑘𝑣𝑠 and ∼𝑇𝑗𝑘𝑣𝑠
are J-visible simulations.
Model 𝑀 ′ J-visible simulates model 𝑀 (denoted 𝑀 ≤𝑗𝑘𝑣𝑠 𝑀 ′ )
if there is a J-visible simulation between the states of 𝑀 and 𝑀 ′ .
Two models 𝑀 and 𝑀 ′ are called J-visible simulation equivalent
if 𝑀 ≤𝑗𝑘𝑣𝑠 𝑀 ′ and 𝑀 ′ ≤𝑗𝑘𝑣𝑠 𝑀 . Two models 𝑀 and 𝑀 ′
are called J-visible bisimulation equivalent if there is a J-visible
bisimulation between the states of the two models.
It is quite straightforward to show that J-visible bisimulation (simulation) is stronger that J-stuttering bisimulation (simulation, resp.).
This concludes our analysis of equivalences preserving LTLK−𝑋 ,
ACTL*K−𝑋 , and CTLK−𝑋 . For each of the above mentioned logics, we now give an algorithm that for a given MAS and a formula
returns a reduced model. By means of the theorems we show that
the reduced model is equivalent to the full one.
4.
PARTIAL ORDER REDUCTIONS
As mentioned above, the idea of verification by model checking
with partial order reduction is to define an algorithm that given a
model can produce a smaller model provably validating the same
formulae of interest. This requires a notion of equivalence between
models. For the case of LTLK𝐽−𝑋 we show below that the notion
of J-stuttering trace equivalence presented above suffices. With
respect to branching time, for CTL*K−𝑋 (ACTL*K−𝑋 , respectively) we show we can use J-visible bisimulation (J-visible simulation equivalence, respectively). The algorithm presented explores
the given model and returns a reduced one. Traditionally, in partial
order reduction the exploration is carried out either by depth-firstsearch (DFS) (see [7]), or double-depth-first-search (DDFS) [4].
In this context DFS is used to compute paths that will make up
the reduced model by exploring systematically the possible computation tree and selecting only some of the possible paths generated.
In the following, a stack represents the path 𝜋 = 𝑔0 𝑎0 𝑔1 𝑎1 ⋅ ⋅ ⋅ 𝑔𝑛
currently being visited. For the top element of the stack 𝑔𝑛 the
following three operations are computed in a loop:
1. The set 𝑒𝑛(𝑔𝑛 ) ⊆ 𝐴𝑐𝑡 of enabled actions (not including the
𝜖 action) is identified and a subset 𝐸(𝑔𝑛 ) ⊆ 𝑒𝑛(𝑔𝑛 ) of possible actions is heuristically selected (see below).
the algorithm is a submodel of the original. Its size crucially depends on the ratio 𝐸(𝑔)/𝑒𝑛(𝑔). Clearly, if 𝐸(𝑔) = 𝑒𝑛(𝑔) for all 𝑔
explored there is no reduction, and the algorithm returns the whole
model. The choice of 𝐸(𝑞) is constrained by the class of properties
that must be preserved. In the rest of this section, we present the
criteria based on the J-stuttering trace equivalence for the choice of
𝐸(𝑞) and give details of the DFS algorithm implementing them.
4.1
Preserving LTLK𝐽−𝑋
In the sequel, let 𝜙 be a LTLK𝐽−𝑋 formula to be checked over
the model 𝑀 with 𝐽 ⊆ 𝒜 such that for each subformula 𝐾𝑖 𝜑
contained in 𝜙, 𝑖 ∈ 𝐽, and let 𝑀 ′ be a submodel of 𝑀 , generated
by the algorithm. The states and the actions connecting states in
𝑀 ′ define a directed state graph. We give conditions defining a
heuristics for the selection of 𝐸(𝑔) (such that 𝐸(𝑔) ∕= 𝑒𝑛(𝑔)) while
visiting state 𝑔 in the algorithm below.
C1 No action 𝑎 ∈ 𝐴𝑐𝑡∖𝐸(𝑔) that is dependent (see Definition 2.3)
on an action in 𝐸(𝑔) can be executed before an action in
𝐸(𝑔) is executed.
C2 For every cycle in the constructed state graph there is at least
one node 𝑔 in the cycle for which 𝐸(𝑔) = 𝑒𝑛(𝑔), i.e., for
which all the successors of 𝑔 are expanded.
C3 All actions in 𝐸(𝑔) are invisible (see Definition 3.1).
CJ For each action 𝑎 ∈ 𝐸(𝑔), 𝐴𝑔𝑒𝑛𝑡(𝑎) ∩ 𝐽 = ∅, i.e., no action
in 𝐸(𝑔) changes local states of the agents in 𝐽.
The conditions C1−C3 are inspired from [22], whereas as we note
below CJ is aimed at preserving the truth value of subformulae of
the form 𝐾𝑖 𝜑 for 𝑖 ∈ 𝐽.
T HEOREM 4.1. Let 𝑀 be a model and 𝑀 ′ ⊆ 𝑀 be the reduced model generated by the DFS algorithm described above in
which the choice of 𝐸(𝑔 ′ ) for 𝑔 ′ ∈ 𝐺′ is given by C1, C2, C3, CJ
above. The following conditions hold:
∙ 𝑀 and 𝑀 ′ are J-stuttering trace equivalent;
∙ 𝑀 ∣= 𝜙 iff 𝑀 ′ ∣= 𝜙, for any 𝜙 ∈ LTLK𝐽−𝑋 .
P ROOF. Although the setting is different it can be shown similarly to Theorem 3.11 in [23] that the conditions C1, C2, C3 guarantee that the models 𝑀 and 𝑀 ′ are stuttering equivalent. More
precisely, for each path 𝜋 = 𝑔0 𝑎0 𝑔1 𝑎1 ⋅ ⋅ ⋅ with 𝑔0 = 𝜄 in 𝑀 there
is a stuttering equivalent path 𝜋 ′ = 𝑔0′ 𝑎′0 𝑔1′ 𝑎′1 ⋅ ⋅ ⋅ with 𝑔0′ = 𝜄 in
𝑀 ′ and a partition 𝐵1 , . . . , 𝐵𝑗 , .. of the states of 𝜋 and a partition
𝐵1′ , . . . , 𝐵𝑗′ , .. of the states of 𝜋 ′ satisfying for each 𝑖, 𝑗 ≥ 0 the
following two conditions:
𝑎
I. if 𝑔𝑖 −→ 𝑔𝑖+1 is a transition such that 𝑔𝑖 , 𝑔𝑖+1 ∈ 𝐵𝑗 , then
𝑎′
′
𝑎 ∈ 𝐼𝑛𝑣𝑖𝑠, and if 𝑔𝑖′ −→ 𝑔𝑖+1
is a transition such that
′
𝑔𝑖′ , 𝑔𝑖+1
∈ 𝐵𝑗′ , then 𝑎′ ∈ 𝐼𝑛𝑣𝑖𝑠,
𝑎
2. For any action 𝑎 ∈ 𝐸(𝑔𝑛 ) compute the successor state 𝑔 ′
𝑎
such that 𝑔𝑛 → 𝑔 ′ , and add 𝑔 ′ to the stack thereby generating
′
the path 𝜋 = 𝑔0 𝑎0 𝑔1 𝑎1 ⋅ ⋅ ⋅ 𝑔𝑛 𝑎𝑔 ′ . Recursively proceed to
explore the submodel originating at 𝑔 ′ in the same way by
means of the present algorithm beginning at step 1.
3. Remove 𝑔𝑛 from the stack.
The algorithm begins with a stack comprising of the initial state
and terminates when the stack is empty. The model generated by
II. if 𝑔𝑖 −→ 𝑔𝑖+1 is a transition such that 𝑔𝑖 ∈ 𝐵𝑗 and 𝑔𝑖+1 ∈
𝑎′
𝐵𝑗+1 , and 𝑔𝑖′′ −→ 𝑔𝑖′′ +1 is a transition such that 𝑔𝑖′′ ∈ 𝐵𝑗′
′
and 𝑔𝑖′′ +1 ∈ 𝐵𝑗+1
, then 𝑎 = 𝑎′ .
Given condition CJ, for any two states 𝑔, 𝑔 ′ in 𝐵𝑗 or in 𝐵𝑗′ we
have that 𝐽𝐾𝑆(𝑔, 𝑔 ′ ). Moreover, from the above and condition 𝐼𝐼
one can show by induction that for each state 𝑔 ∈ 𝐵𝑗 and 𝑔 ′ ∈ 𝐵𝑗′
we have 𝐽𝐾𝑆(𝑔, 𝑔 ′ ). Since, 𝑀 ′ ⊆ 𝑀 , we get that the models
𝑀 and 𝑀 ′ are J-stuttering trace equivalent. The second part of the
theorem follows from this and Theorem 3.7.
4.2
Preserving ACTL*K−𝑋 and CTL*K−𝑋
Next, let 𝜙 be a ACTL*K−𝑋 or a CTL*K−𝑋 formula to be
checked over the model 𝑀 with 𝐽 ⊆ 𝒜 such that for each subformula 𝐾𝑖 𝜑 contained in 𝜙, 𝑖 ∈ 𝐽, and let 𝑀 ′ be a submodel
of 𝑀 , generated by the algorithm above. We now give additional
conditions, which together with C1 - C3, CJ, define a heuristics
for the selection of 𝐸(𝑔) (such that 𝐸(𝑔) ∕= 𝑒𝑛(𝑔)) while visiting
state 𝑔
C3’ 𝐸(𝑔) contains all the J-visible actions of 𝑒𝑛(𝑔); 𝑒𝑛(𝑔)∩𝑉 𝑖𝑠𝐽 ∕=
∅, i.e., there is at least one J-visible action in 𝑒𝑛(𝑔).
C4 𝐸(𝑔) is a singleton set.
C5 𝐸(𝑔) contains all the actions starting an infinite J-invisible path
from 𝑔 in 𝑀 .
The above conditions are inspired from [25].
T HEOREM 4.2. Let 𝑀 be a model and 𝑀 ′ ⊆ 𝑀 be the reduced model generated by a DFS algorithm described above.
a) If the choice of 𝐸(𝑔 ′ ) for 𝑔 ′ ∈ 𝐺′ is given by the conditions
C1, C2, C3’, and C5, then
– 𝑀 and 𝑀 ′ are J-visible simulation equivalent,
– 𝑀 ∣= 𝜙 iff 𝑀 ′ ∣= 𝜙, for any 𝜙 ∈ ACTL*K𝐽−𝑋 .
b) If the choice of 𝐸(𝑔 ′ ) for 𝑔 ′ ∈ 𝐺′ is given by the conditions
C1, C2, C3, C4, and CJ, then
– 𝑀 and 𝑀 ′ are J-visible bisimilar,
Algorithm 1 DFS-POR ()
1: 𝑔 ⇐ 𝑇 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘1); 𝑟𝑒𝑒𝑥𝑝𝑙𝑜𝑟𝑒 ⇐ 𝑓 𝑎𝑙𝑠𝑒;
2: if 𝑔 = 𝐸𝑙𝑒𝑚𝑒𝑛𝑡(𝑆𝑡𝑎𝑐𝑘1, 𝑖) then
3: 𝑑𝑒𝑝𝑡ℎ ⇐ 𝑇 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘2);
4: if 𝑖 > 𝑑𝑒𝑝𝑡ℎ then
5:
𝑟𝑒𝑒𝑥𝑝𝑙𝑜𝑟𝑒 ⇐ 𝑡𝑟𝑢𝑒;
6: else
7:
𝑃 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘1); return;
8: end if
9: end if
10: if 𝑟𝑒𝑒𝑥𝑝𝑙𝑜𝑟𝑒 = 𝑓 𝑎𝑙𝑠𝑒 and 𝑔 ∈ 𝐺 then
11: 𝑃 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘1); return;
12: end if
13: 𝐺 ⇐ 𝐺 ∪ {𝑔}; 𝐸(𝑔) ⇐ ∅;
14: if 𝑒𝑛(𝑔) ∕= ∅ then
15: if 𝑟𝑒𝑒𝑥𝑝𝑙𝑜𝑟𝑒 = 𝑓 𝑎𝑙𝑠𝑒 then
16:
for all 𝑎 ∈ 𝑒𝑛(𝑔) do
17:
if 𝑎 ∕∈ 𝑉 𝑖𝑠 and 𝑎 ∕∈ 𝑉 𝑖𝑠𝐽 and ∀𝑏 ∈ 𝑒𝑛(𝑔)∖{𝑎} : (𝑎, 𝑏) ∈ 𝐼
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
then
𝐸(𝑔) ⇐ {𝑎}; break;
end if
end for
end if
if 𝐸(𝑔) = ∅ then 𝐸(𝑔) ⇐ 𝑒𝑛(𝑔); end if
if 𝐸(𝑔) = 𝑒𝑛(𝑔) then
𝑃 𝑢𝑠ℎ(𝑆𝑡𝑎𝑐𝑘2, 𝐷𝑒𝑝𝑡ℎ(𝑆𝑡𝑎𝑐𝑘1));
end if
for all 𝑎 ∈ 𝐸(𝑔) do
𝑔 ′ ⇐ 𝑆𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟(𝑔, 𝑎); 𝑃 𝑢𝑠ℎ(𝑆𝑡𝑎𝑐𝑘1, 𝑔 ′ ); DFS-POR();
end for
end if
𝑑𝑒𝑝𝑡ℎ ⇐ 𝑇 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘2);
if 𝑑𝑒𝑝𝑡ℎ = 𝐷𝑒𝑝𝑡ℎ(𝑆𝑡𝑎𝑐𝑘1) then 𝑃 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘2); end if
𝑃 𝑜𝑝(𝑆𝑡𝑎𝑐𝑘1);
– 𝑀 ∣= 𝜙 iff 𝑀 ′ ∣= 𝜙, for any 𝜙 ∈ CTL*K𝐽−𝑋 .
P ROOF. (sketch) Part a): Since 𝑀 ′ is a sub-model of 𝑀 , it is
obvious that 𝑀 J-visible simulates 𝑀 ′ . In order to show the opposite, define the following relation: ∼ ⊆ 𝐺′ × 𝐺 by 𝑔 ′ ∼ 𝑔 iff
𝑎𝑛−1
𝑎1
𝑎0
⋅ ⋅ ⋅ −→ 𝑔𝑛 = 𝑔 such
𝑔1 −→
there exists a path 𝑔 ′ = 𝑔0 −→
that 𝑎𝑖 is J-invisible for all 𝑖 < 𝑛. Let ≈ = ∼ ∩ (𝐺′ × 𝐺). In
[25] it is shown that if the reduction algorithm uses the conditions
C1, C2, and the conditions weaker than C3’, C5 (visibility is used
instead of J-visibility), then the relation weaker than ≈ is a visible
simulation. Notice that with the change of visibility to J-visibility
in the conditions, ≈ can be proved to be a J-visible simulation.
Part b:) Define ∼ ⊆ 𝐺 × 𝐺 by 𝑔 ∼ 𝑔 ′ iff there exists a path
𝑎𝑛−1
𝑎0
𝑎1
. . . −→ 𝑔𝑛 = 𝑔 ′ , with 𝑔0 = 𝑔 such that 𝑎𝑖
𝑔1 −→
𝑔0 −→
is J-invisible and {𝑎𝑖 } satisfies the condition C1 from state 𝑔𝑖 for
0 ≤ 𝑖 < 𝑛. Consider ≈ = ∼ (𝐺 × 𝐺′ ). It is shown in [7] that
the relation weaker than ≈ is a visible bisimulation. By slightly
modifying the original proof, one can show that ≈ is a J-visible
bisimulation.
4.3
The DFS-POR algorithm
We now give details of the DFS algorithm implementing conditions C1, C2, C3, and CJ for the choice of 𝐸(𝑔). We use two
stacks: 𝑆𝑡𝑎𝑐𝑘1 represents the stack described above containing the
global states to be expanded, whereas 𝑆𝑡𝑎𝑐𝑘2 represents additional
information required to ensure condition C2 is satisfied, i.e., each
element in 𝑆𝑡𝑎𝑐𝑘2 is the depth of 𝑆𝑡𝑎𝑐𝑘1 when its top element is
fully explored. Initially, 𝑆𝑡𝑎𝑐𝑘1 contains the initial state, whereas
𝑆𝑡𝑎𝑐𝑘2 is empty. 𝐺 is the set of the visited states. The algorithm
DFS-POR does not generate the minimal J-stuttering equivalent
model; however its computation overheads are negligible and, as
we show in the section below, it is J-stuttering equivalent and produces attractive results in several cases.
In the algorithm, the function 𝑇 𝑜𝑝(𝑠) returns the top element of the
stack 𝑠; 𝑃 𝑢𝑠ℎ(𝑠, 𝑒) pushes the element 𝑒 onto the top of the stack
𝑠; 𝑃 𝑜𝑝(𝑠) removes the top element of the stack 𝑠; 𝐸𝑙𝑒𝑚𝑒𝑛𝑡(𝑠, 𝑖)
returns the 𝑖-th element of the stack 𝑠; 𝐷𝑒𝑝𝑡ℎ(𝑠) returns the depth
(size) of the stack 𝑠; 𝑆𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟(𝑔, 𝑎) returns the successor 𝑔 ′ such
𝑎
that 𝑔 → 𝑔 ′ .
Line 2 is used to detect a cycle. This can be implemented in the
time complexity 𝒪(1) by using a hash table to index the state in
𝑆𝑡𝑎𝑐𝑘1. If a cycle is found, we check whether at least one state is
expanded fully in the cycle. This check is done in line 4 by comparing the top element of 𝑆𝑡𝑎𝑐𝑘2 and the index 𝑖 of the repeated state
in 𝑆𝑡𝑎𝑐𝑘1. If the check fails, we set 𝑟𝑒𝑒𝑥𝑝𝑙𝑜𝑟𝑒 to true in order to
fully expand the top state 𝑔 in 𝑆𝑡𝑎𝑐𝑘1 to satisfy condition C2.
The lines 15-21 look for an action that is neither visible nor Jvisible, and is independent of any other actions in 𝑒𝑛(𝑔). A set
composed of such an action satisfies the conditions C1, C3 and CJ.
If no such action exists, we simply explore all enabled actions. This
could be improved by searching for an appropriate subset of 𝑒𝑛(𝑔)
to expand (e.g., [22] could be a starting point). In case 𝐸(𝑔) =
𝑒𝑛(𝑔), we push the current depth of 𝑆𝑡𝑎𝑐𝑘1 onto the top of 𝑆𝑡𝑎𝑐𝑘2
for checking C2. When all actions in 𝐸(𝑔) are visited, we remove
the top element of 𝑆𝑡𝑎𝑐𝑘1 and 𝑆𝑡𝑎𝑐𝑘2 properly.
We stress that DFS-POR is of linear complexity in the size of an
IIS and the reduced model constructed.
To add C4 to the algorithm (to preserve CTL*K𝐽−𝑋 ), we simply
change line 18 to be 𝐸(𝑔) ⇐ 𝐸(𝑔)∪{𝑎}, and change the condition
in line 22 to ∣𝐸(𝑔)∣ ∕= 1, where ∣𝐸(𝑔)∣ is the cardinality of 𝐸(𝑔).
In order to adapt the algorithm for preserving ACTL*K𝐽−𝑋 , we
need to replace the for statement starting at line 16 with the following code.
𝐷𝑒𝑝𝑒𝑛𝑑𝑒𝑛𝑡𝑂𝑓 (𝑋1, 𝑋2) recursively computes the set 𝑋 ′ ⊆
Algorithm 2 Checking C3’ and C5
1: 𝐸(𝑔) ⇐ (𝑒𝑛(𝑔) ∩ 𝑉 𝑖𝑠𝐽 );
2: 𝐸(𝑔)
⇐
𝐸(𝑔) ∪ {𝑎
∈
𝑒𝑛(𝑔) ∖
𝑎𝑐𝑡𝑖𝑜𝑛 a starts a loop composed of J-invisible actions};
3: 𝐸(𝑔) ⇐ 𝐷𝑒𝑝𝑒𝑛𝑑𝑒𝑛𝑡𝑂𝑓 (𝐸(𝑔), 𝑒𝑛(𝑔) ∖ 𝐸(𝑔));
𝐸(𝑔)
∣
linear, reduction in the number of states. In this case, we found the
algorithm for CTL*K𝐽−𝑋 brought negligible benefits of less than
1%.
N
3
4
5
6
7
8
𝑋1 ∪ 𝑋2 such that for all 𝑎 ∈ 𝑋 ′ , either 𝑎 ∈ 𝑋1 or there exists a set of actions {𝑎1 , . . . , 𝑎𝑚 } ⊆ 𝑋 ′ with (𝑎𝑖 , 𝑎𝑖+1 ) ∕∈ 𝐼
(1 ≤ 𝑖 < 𝑚) and 𝑎 = 𝑎1 , 𝑎𝑚 ∈ 𝑋1. As proposed in [25], an
action starts an infinite J-invisible path if it starts a local infinite
invisible path in the local state space of each agent of 𝐽. Here a
local infinite invisible path consists of only invisible actions from
the agent, ignoring synchronisations with other agents.
5.
EXPERIMENTAL RESULTS
In order to evaluate the results above, we have implemented the
DFS-POR algorithms to verify specification properties in LTLK𝐽−𝑋 ,
ACTL*K−𝑋 , and CTL*K𝐽−𝑋 . In doing so we are encouraged by
the observation of the preceding section that the algorithm’s complexity is linear both in the length of the formula and the size of a
model. We have conducted experiments for three systems: the TGC
of Section 2.1, the Dining Cryptographers (DC) [2], and the WriteOnce cache coherence protocol (WO) [32, 33], discussed below.
Starting with TGC, we tested the property expressing that whenever
the train 1 is in the tunnel, it knows that no other ⋀
train is in the tunnel at the same time: 𝐴𝐺(in_tunnel1 → 𝐾train1 𝑛
𝑖=2 ¬in_tunnel𝑖 ),
under the assumption that where 𝑛 is the number of trains in the
system, and the atomic proposition in_tunnel𝑖 holds in the states
where the train 𝑖 is in the tunnel2 . In the case of the LTLK𝐽−𝑋 algorithm, we found that the size of the reduced state space 𝑅(𝑛)
given by the algorithm is a function of the number of trains 𝑛, for
1 ≤ 𝑛 ≤ 10. This is compared to the size of the full state space
𝐹 (𝑛) below:
Full space
size
time
864
0.41
6480
0.49
46656
4.6
326592
44
2239488
465
15116544 4723
LTLK𝐽
−𝑋
size time
448 0.12
2160 0.18
9984
1.8
45248
6.8
202752
39
900864
228
ACTL*K𝐽
−𝑋
size time
320 0.27
1760 0.30
9600
1.5
51072
7.7
264192
57
1331712
380
Table 1: Verification results for DC.
The choice of the Write-One cache coherence protocol was inspired by [32], which analysed several cache coherence protocols
in a knowledge setting. We followed some of the criteria presented in [32] while modelling WO: each cache contains a single
bit, whose value can be either 0 or 1, the owner of the bit is either
the main memory or a cache. The details of the protocol can be
found in [33]. For the three algorithms, we tested the formula
𝐴𝐺((Dirty1 ∨ Reserved1 ) → (𝐾cache1
𝑛
⋀
Invalid𝑖 )),
𝑖=2
where Dirty𝑖 , Reserved𝑖 and Invalid𝑖 represent that cache 𝑖 is in
the state dirty, reserved, or invalid. Our implementation results in a
substantial reduction only for the LTLK𝐽−𝑋 case, see Table 2.
N
2
3
4
5
6
7
∙ 𝐹 (𝑛) = 𝑐𝑛 × 2𝑛+1 , for some 𝑐𝑛 > 1,
Full space
size
time
322
0.27
3668
0.59
40110
14.8
426984
264
4451778 3042
LTLK𝐽
−𝑋
size
time
82
0.13
1066
0.29
12402
5.6
131402
77
1311698
529
12585834 8870
∙ 𝑅(𝑛) = 3 + 4(𝑛 − 1).
Note that the reduced state space is exponentially smaller than the
original one. We also found that the algorithm for CTL*K𝐽−𝑋 gives
the same reduction as the one for LTLK𝐽−𝑋 . However, we found
that the ACTL*K𝐽−𝑋 variant does not produce any reduction. The
reason is that there is an invisible loop in the controller and the
trains.
As regards the DC scenario, we analysed a version with an arbitrary number of cryptographers. As in the original scenario [2] after all coins have been flipped each cryptographer observes whether
the coins he can see fell on the same side or not. If he did not pay
for dinner he states what he sees; if he did he states the opposite.
Since our model is interleaved we assume the announcements are
made in sequence; this does not affect the scenario. We used the
algorithms to reduce the models preserving the specification [15]:
𝐴𝐺((odd ∧ ¬pay1 )→((𝐾crypt1
𝑛
⋁
𝑛
⋀
pay𝑖 ) ∧ ( ¬𝐾crypt1 pay𝑖 ))),
𝑖=2
𝑖=2
number of announcements for different sides of the coins were
paid, and the atomic proposition pay𝑖 holds when cryptographer 𝑖
is the payer. Table 1 displays the sizes of the full and reduced state
spaces and the execution times (in seconds) on an AMD Opteron
clocked at 2.2GHz with 8GB memory running a vanilla Linux kernel 2.6.30. Notice that we get a substantial, certainly, more than
2
In the case of LTLK𝐽−𝑋 tests substitute AG with G in the formulas.
Table 2: Verification results for WO.
6.
CONCLUSIONS AND FURTHER WORK
As we argued in the introduction model checking multi-agent
systems is now a rapidly maturing area of research with techniques
and tools being rapidly applied to the validation of concrete MAS.
While some techniques - notably ordered binary decision diagrams
and bounded model checking have been redefined in a MAS setting - others, including abstraction and partial order reduction, are
still largely unexplored. In particular, partial order reduction is one
of the more traditional approaches, and it is therefore surprising
that its study has not been systematically carried out yet in a MAS
setting.
In this paper we tried to continue the preliminary analysis suggested in [17]. While only a notion of trace-equivalence is explored there, here we focused on interleaved interpreted systems,
for which we were able to give stuttering equivalence preservation
results, a linear algorithm preserving the validity on the models,
as well as an implementation thereby evaluating the performance
on two standard MAS scenarios. The results we found were very
positive in the linear time case, less so for the branching time case.
There are two reasons for that. Firstly, the equivalences induced
by the branching time logics are much stronger than the equivalence induced by LTLK𝐽−𝑋 . Secondly, for scenarios containing
loops composed of J-invisible actions, the reductions preserving
ACTL*K𝐽−𝑋 are quite limited.
Much remains to be done in this line. For instance, the partial
order reduction technique presented here may be combined with
ordered binary decision diagrams (for example within the MCMAS
toolkit [18]), or combined with bounded model checking (for example within the VerICS toolkit [14]), so that models are reduced
first and then symbolically encoded. It should also be noted that
the analysis presented here only applies to interleaved multi-agent
systems. The case of fully synchronous systems still remains to be
tackled.
7.
REFERENCES
[1] R. Bordini, M. Fisher, C. Pardavila, W. Visser, and
M. Wooldridge. Model checking multi-agent programs with
CASP. In Proc. of CAV03, LNCS 2725, 110–113. Springer,
2003.
[2] D. Chaum. The dining cryptographers problem:
Unconditional sender and recipient untraceability. Journal of
Cryptology, 1(1):65–75, 1988.
[3] E. Clarke, O. Grumberg, and D. Peled. Model Checking. The
MIT Press, Cambridge, Massachusetts, 1999.
[4] C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis.
Memory-efficient algorithms for the verification of temporal
properties. Formal Methods in System Design,
1(2/3):275–288, 1992.
[5] R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi.
Reasoning about Knowledge. MIT Press, Cambridge, 1995.
[6] P. Gammie and R. van der Meyden. MCK: Model checking
the logic of knowledge. In Proc. of CAV04, LNCS 3114,
479–483. Springer, 2004.
[7] R. Gerth, R. Kuiper, D. Peled, and W. Penczek. A partial
order approach to branching time logic model checking.
Information and Computation, 150:132–152, 1999.
[8] P. Godefroid. Using partial orders to improve automatic
verification methods. In Proc. of CAV90, LNCS 531, 176 185. Springer, 1991.
[9] J. Halpern, R. Meyden, and M. Y. Vardi. Complete
axiomatisations for reasoning about knowledge and time.
SIAM Journal on Computing, 33(3):674–703, 2003.
[10] J. Halpern and Y. Moses. Knowledge and common
knowledge in a distributed environment. Journal of the ACM,
37(3):549–587, 1990.
[11] W. v. Hoek and M. Wooldridge. Model checking knowledge
and time. In Proc. of SPIN02, LNCS 2318, 95–111. Springer,
2002.
[12] G. Holzmann and D. Peled. Partial order reduction of the
state space. In Proc. of SPIN95, Montréal, Quebec, 1995.
[13] G. Holzmann, D. Peled, and M. Yannakakis. On nested depth
first search. In Proc. of SPIN96, 23–32. AMS, 1996.
[14] M. Kacprzak, W. Nabialek, A. Niewiadomski, W. Penczek,
A. Polrola, M. Szreter, B. Wozna, and A. Zbrzezny. VerICS
2007 - a Model Checker for Knowledge and Real-Time.
Fundamenta Informaticae 85(1-4): 313-328, 2008.
[15] M. Kacprzak, A. Lomuscio, A. Niewiadomski, W. Penczek,
F. Raimondi, and M. Szreter. Comparing BDD and SAT
based techniques for model checking Chaum’s dining
cryptographers protocol. Fundamenta Informaticae,
63(2-3):221–240, 2006.
[16] M. E. Kurbán, P. Niebert, H. Qu, and W. Vogler. Stronger
reduction criteria for local first search. In Proc. of ICTAC06,
LNCS 4281, 108–122. Springer, 2006.
[17] A. Lomuscio, W. Penczek, and H. Qu. Towards partial order
reduction for model checking temporal epistemic logic. In
Proc. of MoChArt08, LNAI 5348, 106–121. Springer, 2009.
[18] A. Lomuscio, H. Qu, and F. Raimondi. MCMAS: A model
checker for the verification of multi-agent systems. In Proc.
of CAV09, LNCS 5643, 682–688. Springer, 2009.
[19] K. L. McMillan. Symbolic Model Checking. Kluwer
Academic Publishers, 1993.
[20] K. L. McMillan. A technique of a state space search based on
unfolding. Formal Methods in System Design, 6(1):45–65,
1995.
[21] R. Parikh and R. Ramanujam. Distributed processes and the
logic of knowledge. In Logic of Programs, LNCS 193,
256–268. Springer, 1985.
[22] D. Peled. All from one, one for all: On model checking using
representatives. In Proc. of CAV93, LNCS 697, 409–423.
Springer, 1993.
[23] D. Peled. Combining partial order reductions with on-the-fly
model-checking. In Proc. of CAV94, LNCS 818, 377–390.
Springer, 1994.
[24] W. Penczek and A. Lomuscio. Verifying epistemic properties
of multi-agent systems via bounded model checking.
Fundamenta Informaticae, 55(2):167–185, 2003.
[25] W. Penczek, M. Szreter, R. Gerth, and Ruurd Kuiper.
Improving Partial Order Reductions for Universal Branching
Time Properties. Fundamenta Informaticae, 43(1-4):
245-267, 2000.
[26] A. Puri and P. Varaiya. Verification of hybrid systems using
abstractions. In Hybrid Systems II, LNCS 999, 359–369.
Springer, 1995.
[27] F. Raimondi and A. Lomuscio. Automatic verification of
multi-agent systems by model checking via OBDDs. Journal
of Applied Logic, 5(2):235-251, 2007.
[28] S. Rosenschein. Formal theories of ai in knowledge and
robotics. New Generation Computing, 3:345–357, 1985.
[29] A. Valmari. A stubborn attack on state explosion. In Proc. of
CAV90, LNCS 531, 156–165. Springer, 1990.
[30] W. van der Hoek, M. Roberts, and M. Wooldridge.
Knowledge and social laws. In Proc. of AAMAS05, 674–681.
ACM Press, 2005.
[31] R. van der Meyden and K. Su. Symbolic model checking the
knowledge of the dining cryptographers. In Proc. of
CSFW04, 280–291, IEEE. 2004.
[32] K. Baukus and R. van der Meyden. A Knowledge Based
Analysis of Cache Coherence. In Proc. of ICFEM04, LNCS
3308, 99–114. Springer. 2004.
[33] J. Archibald and J.-l. Baer. Cache coherence protocols:
Evaluation using a multiprocessor simulation model. ACM
Transactions on Computer Systems, 4:273–298, 1986.